VIRUS ALERTS

Fleercivet

Original Issue Date:June 02, 2016

Virus Type: Trojan

It has been reported that a malware named "Fleercivet" is spreading. This malware is a type of Trojan horse with rootkit functionalities in order to hide itself into the infected computers. This Trojan propagate through deceptive and stealthy methods like downloading bundled freeware and spam emails with malicious file attachment. It has the capability to deactivate common anti-viruses program by killing relevant processes. Moreover, it can exploits and ruin any versions of Windows by exploiting RAM, CPU, hard disk, and internet connection and cause serious damage to the computer.

The malware is capable of performing the following functions:

It is able to detect the virtualizedenvironment/virtual machine. The Trojan does not exhibit its functionality if found virtual environment.

It may drop further malware like browser hijack, adware, key-logger and other family of Trojan viruses.

It could steal sensitive and confidential information from the infected user system which could lead to further attacks.

Malware drop additional files in %user temp% directoryon system running with 64-bit OS with randomly generated names from the remote server and it might periodically try to download and run these file on the compromised systems. %User Temp%\{Random Filename}.tmp

It injects additional malicious code in Internet Explorer (iexplore.exe) to monitor the network activity. In order to keep monitoring the system, it will inject code in explorer.exe and one of the following processes, depending upon the version of operating system.

explorer.exe

svchost.exe

dwm.exe

taskhostex.exe

Registry Changes

The Trojan copies itself to %APPDATA%\chromeupdate.exe and creates registry entry in order to restart itself on everysystem reboot.

Once the system is compromised, the Trojan starts an invisible Internet Explorer tocontact itsC2server to get the list of URLs to be visited by the malware to create advertising revenue, Listincludes the following:

176.102.38.69

boook<4-10 random digits>.com

bugi<4-10 random digits>.com

gos<4-10 random digits>.com

hueeh<4-10 random digits>.com (for example, hueeh3349298504.com)

zdex<4-10 random digits>.net

zdxboook<4-10 random digits>.com

zoojeddhem<4-10 random digits>.net

zsdxc<4-10 random digits>.net

zugizifud<4-10 random digits>.com

The Trojan collects data about compromised systems and sends it to remote server in the encrypted manner, collected data includes thefollowing information:

Location of the infected systems like country

System name

IP Address

Operating System version

Operating System install date

Current system time

Processor type (64 or 32-bit)

The Trojan coulddownload further malicious files periodically from remote servers and try to run the files. Additionally, collect all the data and send to these remote servers which are listed below:

176.102.38.69

176.102.38.72

95.211.73.249

fdsifidsfjannqnnqww [d0t]com(Replace "[d0t]" with "." For actual URL)

Countermeasures:

Delete the system changes made by the malware such as files created/ registry entries /services etc.